SonicWALL 5.8.1 Microscope & Magnifier User Manual


  Open as PDF
of 1490
 
User Management
1008
SonicOS 5.8.1 Administrator Guide
SonicWALL SSO Authentication Using Browser NTLM Authentication
For users who are browsing using Mozilla-based browsers (including Internet Explorer, Firefox,
Chrome and Safari) the SonicWALL appliance supports identifying them via NTLM (NT LAN
Manager) authentication. NTLM is part of a browser authentication suite known as “Integrated
Windows Security” and is supported by all Mozilla-based browsers. It allows a direct
authentication request from the appliance to the browser without involving the SonicWALL SSO
agent. NTLM is often used when a domain controller is not available, such as when the user is
remotely authenticating over the Web.
NTLM Authentication is currently available for HTTP; it is not available for use with HTTPS
traffic.
Browser NTLM authentication can be tried before or after the SonicWALL SSO agent attempts
to acquire the user information. For example, if the SonicWALL SSO agent is tried first and fails
to identify the user, then, if the traffic is HTTP, NTLM is tried.
To use this method with Linux or Mac clients as well as Windows clients, you can also enable
SSO to probe the client for either NetAPI or WMI, depending on which is configured for the SSO
Agent. This causes the SonicWALL appliance to probe for a response on the NetAPI/WMI port
before requesting that the SSO Agent identify a user. If no response occurs, these devices will
fail SSO immediately. For a Windows PC the probe will generally work (unless blocked by a
personal firewall) and the SonicWALL SSO agent will be used. For a Linux/Mac PC (assuming
it is not set up to run Samba server) the probe will fail, the SSO agent will be bypassed and
NTLM authentication will be used when HTTP traffic is sent.
NTLM cannot identify the user until they browse with HTTP, so any traffic sent before that will
be treated as unidentified. The default CFS policy will be applied, and any rule requiring
authenticated users will not let the traffic pass.
If NTLM is configured to be used before the SonicWALL SSO agent, then if HTTP traffic is
received first, the user will be authenticated with NTLM. If non-HTTP traffic is received first, the
SonicWALL SSO agent will be used for authentication.
The number of NTLM user logins is combined with the number of SSO logins, and the total at
any time cannot exceed the Max SSO Users limit for the appliance model. The specific Max
SSO Users value is provided in the TSR. For information about the TSR, see the “Using the
Single Sign-On Statistics in the TSR” section on page 1103.
How Does SonicWALL SSO Agent Work?
The SonicWALL SSO Agent can be installed on any workstation with a Windows domain that
can communicate with clients and the SonicWALL security appliance directly using the IP
address or using a path, such as VPN. For installation instructions for the SonicWALL SSO
Agent, refer to the “Installing the SonicWALL SSO Agent” section on page 1062.
Multiple SSO agents are supported to accommodate large installations with thousands of
users. You can configure up to eight SSO agents, each running on a dedicated, high-
performance PC in your network. Note that one SSO agent on a fast PC can support up to 2500
users.
The SonicWALL SSO Agent only communicates with clients and the SonicWALL security
appliance. SonicWALL SSO Agent uses a shared key for encryption of messages between the
SSO Agent and the SonicWALL security appliance.